Currently, many systems in use to provide online or in-person security often employ security measures designed to authenticate the identity of subjects that are using the system. The process of “authentication” (i.e., the establishment or verification of identity) is the process of determining that the authentication subject is who he purports to be. There are different procedures for conducting authentication, and they each afford varying degrees of security.
Traditionally, subject authentication has been conducted in one of three ways: recognition of the subject (i.e., vouching), possession of a token by the subject, and shared knowledge. For authentication based on shared knowledge, the authentication system has access to information about the subject that should not be common knowledge. When the subject also convincingly demonstrates that he knows the same information, the subject's identity can be authenticated. The authenticating information is referred to as “shared” because it is known by both the authentication system and the authentication subject; otherwise, the information is not widely known.
In prior authentication systems, the shared authenticating information is typically stored in a database that the system can access as necessary to verify information provided by the authentication subject. Typical Web site login pages often provide a common example of this. The subject must provide a username and password, which the system verifies by accessing corresponding account records stored in a database.
Unfortunately, there are several disadvantages to the authentication systems of the prior art. One problem is that they are typically dependent on a single source of information. However, there are no perfect databases. No one database contains all possible query answers. Databases must constantly be maintained to ensure that they contain the most recent information. Even with such efforts, there are frequently gaps in coverage and insufficient accuracy in the data. Therefore, no one single database includes all the information needed for reliable authentication.
Additionally, systems that rely upon information stored in a single database are susceptible to fraud. If a mal-intending individual gains access to the sole database used in an authentication process, the integrity of the entire authentication system is compromised. Secure authentication systems should be designed such that it is very difficult for the security of the system to be compromised. The information used for authentication should not all be accessible from only one source.
Authentication systems that rely on a single database for verifying authenticating information are also limited in the types of authenticating queries they can present to an authentication subject. In addition to being limited by the coverage or accuracy deficiencies of the database being used, the authentication system is also limited to presenting authentication queries that are supported by the particular indexing structure employed by the database. For example, a query cannot authenticate a username and a password unless the database includes those records, and those records are indexed so as to associate those two fields for a given individual.
What is needed is an authentication system and method that provide secure, efficient, and effective identity authentication with greater flexibility in the type and scope of authentication queries employed. The present invention fulfill this need.